In the News

Sarah Thompson Discusses GDPR for HR Magazine and Employee Benefits

March 16, 2018

McGuireWoods London’s Sarah Thompson, an authoritative voice on data protection and privacy law in Europe, has been sharing her insights with a number of media sources regarding the EU’s General Data Protection Regulation, which goes into effect May 25. Most recently, HR magazine quoted her from a recent webinar and she penned another article for Employee Benefits.

HR magazine’s March 15 issue quoted comments Thompson made as a panelist for a webinar presented to top human resources executives and managers titled “GDPR: What HR Needs to Know.” The magazine sponsored the March 14 discussion with Sage Business Cloud People.

A poll of webinar participants revealed that nearly two-thirds considered HR skillsets a major obstacle to readiness of businesses for the GDPR, which tightens rules on business data protection and imposes significant penalties for violations. One recommended practice is that each organization designate its own data protection officer (DPO), but HR also has a duty within those organizations for clarifying who is responsible for what. But should an HR leader assume that role?

“The DPO can’t be in the position of conflict of interest and the employee’s role must be compatible with the DPO role,” Thompson said. Though a business is legally required only under certain circumstances to appoint a DPO, she added, “guidance recommends that if you’ve got the budget to do it, do it.”

According to a March 13 article Thompson authored for Employee Benefits, the GDPR’s May 25 deadline effectively marks “the start of an ongoing and evolutionary compliance journey” for businesses that are subject to the new rules.

She noted that the Information Commissioner’s Office has warned that there will be no grace period for businesses to be fully compliant. But, she added, “The ICO is aware of the real world in which businesses need to operate and takes a pragmatic view on compliance and enforcement.” Organizations won’t be fined the maximum penalty of €20 million on May 26 if they are not 100 percent compliant, she explained.

All a business “can do is its best to meet legal requirements and mitigate any adverse impact that its processing may have on data subjects and their personal data,” she wrote. If a data breach occurs, she said, ICO will take into account the steps a business has taken to demonstrate compliance.